The CyberWire Daily Podcast 5.26.22
Ep 1587 | 5.26.22

"Pantsdown" firmware vulnerability. ChromeLoader warning. Conti update. Ransomware at SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands. Kyiv honors Google. Reformed ID thief.


Dave Bittner: QCT baseboard management controllers are caught with their pants down. A warning on ChromeLoader; Conti updates; ransomware's affect on SpiceJet; CISA's Known Exploited Vulnerabilities Catalog expands again. Kyiv honors Google. Josh Ray from Accenture reminds us it's Military Appreciation Month. Our guest is Melissa Bischoping from Tanium with lessons learned from the American Dental Association ransomware attack; and a poacher turned gamekeeper.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 26, 2022. 

"Pantsdown" in QCT Baseboard Management Controllers.

Dave Bittner: Eclypsium this morning published research into the susceptibility of Quanta Cloud Technology servers to exploitation via the pantsdown baseboard management controller flaw. This vulnerability can provide an attacker with full control over the server, including the ability to propagate ransomware, stealthily steal data or disable the BMC or the server itself. Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group. Patches are expected soon, and Eclypsium notes that the most recent versions of affected QCT products have a secure boot capability that should serve to mitigate risk in the meantime. Eclypsium's Executive Summary offers some useful reflections on the business implications of moving to the cloud and of the security issues one needs to remain aware of in doing so. Cloud services are still susceptible to firmware issues that arise in their hardware. 

Warning on ChromeLoader.

Dave Bittner: Red Canary researchers describe ChromeLoader, a browser hijacker that modifies browser settings and redirects victims to advertisement websites. The malware is hidden inside what appears as a cracked video game or pirated movie or TV show. The malware uses PowerShell to inject itself into the browser and adds a malicious extension to it, which can be seen in PowerShell. And this is how, Red Canary explains, ChromeLoader was discovered. The PowerShell script allows for other malware to come in undetected and gain a hold on personal browser information. 

Conti updates.

Dave Bittner: The Conti ransomware gang may have splintered, perhaps acting on the old corporate raider or dissident shareholder premise that a business can unlock value by breaking itself up. OODA Loop suggests as much, with its headline "Is the Conti Ransomware Gang Stronger Apart Than Together?" But Conti data dumps have continued. The Record reports that the gang, or a part of it, or a reorganizing successor, has "published all of the data it stole during a January attack on the government servers of Linn County, Oregon. 

Ransomware at SpiceJet.

Dave Bittner: The BBC reports that Indian airline SpiceJet reports that it's been able to restore its affected IT systems and that flights whose delays had continued into yesterday were now operating normally. The Loadstar reports, however, that passenger complaints continue and that disruption to operations also affected the airline's freight unit. Disgruntled passengers suggest that corporate communications should play an important role in incident response. CNBC discusses lessons others might learn from the incident and notes that even a partially successful ransomware attempt can have a very bad effect on a business. 

CISA's Known Exploited Vulnerabilities Catalog expands, again.

Dave Bittner: Feds take note. The U.S. Cybersecurity and Infrastructure Security Agency yesterday  added thirty-four more vulnerabilities to its Known Exploited Vulnerabilities Catalog, bringing the total of new entries for this week to 75. U.S. federal civilian executive agencies are expected to scan for and fix the vulnerabilities and to report completion by June 15. 

Google honored by Kyiv.

Dave Bittner: Things are relatively quiet on the cyber front of Russia's hybrid war in Ukraine, although the Ukrainian government has honored Google's assistance with cybersecurity and IT generally with Kyiv's first Peace Prize. Ukraine's government has honored Google for the assistance the company has rendered to Ukraine during Russia's invasion. The award was presented at Davos by Vice Prime Minister and Minister of Digital Transformation Mykhailo Fedorov when he met with Google's Vice President for Government Affairs and Public Policy Karan Bhatia at the World Economic Forum. 

Dave Bittner: Fedorov said, from February 24, a new history began not only for Ukraine but also for the global community. The world is changing. The old system no longer works. Everyone should express a clear position whom they support. With this award, we are pleased to emphasize that Google is a great friend of Ukraine. Literally from the first days of the war, you began to help us on the information front with many business initiatives and, most importantly, humanitarian support for our citizens. He drew particular attention not only to Google and Google-inspired donations to Ukraine, which have amounted to some $45 million, but also to Google's actions against Russian interests. 

Dave Bittner: Google's Bhatia was appreciative and said, the war in Ukraine and resulting humanitarian crisis is devastating. From the beginning of the war, we've sought to help however we can. We've committed over $45 million to humanitarian support and worked to ensure our tools are being as helpful as they can be, providing trustworthy information and fighting against cyberattacks. We're humbled and honored that our work has been recognized with this special Peace Prize from Ukraine's president, Volodymyr Zelenskyy. We will continue to work with the Ukrainian government to provide more support for as long as we are needed. 

Poacher turned gamekeeper? We hope so

Dave Bittner: And finally, there's a story that hints at the possibility of atonement and redemption after a career in crime even when the larceny is grand, and grand it was in this case. An AFP story published in France 24 tells the story of Ngo Minh Hieu, a Vietnamese national who was convicted in the U.S. of the theft and sale of personal information. Secret Service agent Matt O'Neill, who executed the plan to catch Hieu, told KrebsOnSecurity in 2020. I don't know of any other cybercriminal who has caused more material financial harm to more Americans than Ngo. He served a term of seven years in U.S. prison and has now returned to Ho Chi Minh City, where he works on security research and education. 

Dave Bittner: Ngo says he hopes to educate Vietnamese on the threat of criminals like the criminal he used to be. He earned millions illicitly and, of course, lost it. But Ngo now lives quietly and modestly. He conducts, he says, nonpolitical research into cybercrime. We hope he'll be able to work honestly without undue co-option by his country's regime. Best of luck to him. And we hope reform works out for him. 

Dave Bittner: The American Dental Association recently found itself the unfortunate victim of a ransomware attack, one of many organizations that got hit by the Black Basta threat group. The incident shines a light on the strong possibility of there being secondhand victims. For insights on this, I spoke with Melissa Bischoping, director and endpoint research specialist at Tanium. 

Melissa Bischoping: So, you know, Black Basta really emerged into the field in April of 2022 - so relatively a new player by name. The ADA breach, particularly being one of the first high-profile attacks that they've claimed of the dozen or so that they've done - this is - you know, it's a new name. However, we're seeing a lot of similarities to Conti. And so I don't trade in speculation or rumors. There are some technical characteristics and just sort of their style of operations that suggest they may be doing copycat behavior. They could be another threat actor attempting to sort of eschew attribution or misdirect research, or they could be a rebrand. We don't entirely know yet, but we do know that some of the tactics and techniques are very similar. And so therefore some of the mitigating factors are going to be the same best practices. 

Dave Bittner: Well, let's dig into some of those tactics and techniques, and then we'll touch on some of the things folks should do to mitigate. What are they up to? 

Melissa Bischoping: So with this specific Black Basta ransomware, you know, they're going to have the entire attack chain that leads up to the actual execution, right? The execution of the ransomware itself is something that is done once they have administrative privileges on the machine. And they're going to go through looking to corrupt your ability to restore from backups. They're also doing a lot of data exfiltration, and that's one of the things I really want to zero in on here. This is an emerging trend that we've seen over 2019, 2020 and still continuing now into 2022 - is the data theft and exfiltration before encryption. You'll hear it referred to often as the double extortion or triple extortion or, in some cases, quad extortion ransomware to be able to maximize their return on investment and their opportunity for profit. 

Dave Bittner: So in terms of protection here, what should folks be doing? 

Melissa Bischoping: Well, so twofold - one, you know, the same ransomware best practices that we've been talking about for years still apply. This is your security hygiene, your patch management, multifactor authentication wherever possible, reducing the likelihood of credential reuse. And those are just really good security practices overall. But in addition to protecting yourself, you also need to be aware of the threat landscape as these double and triple extortion threat actors may affect businesses that you do business with or that you're a customer of. So if you're, you know, in the market of dental and health care and someone like the ADA gets breached, have you done the proactive hygiene and security that would keep you safe in the event that some of your data was what was stolen? 

Dave Bittner: So, I mean, it really - it's almost a mindset kind of thing of being sure to think beyond your own organization. 

Melissa Bischoping: Absolutely. You know, I talk to a lot of security leaders who, when any, you know, high-profile, well-connected organization is attacked, they immediately are asking, am I next? Does this affect me? Do we have systems that are connected? And so I think it's important to prioritize staying informed. When situations like this happen, there's a lot of speculation, and sometimes it's even well-intended speculation about what happened or who might be next. But prioritize connecting with the official channels. And, you know, the incident responders who work on these issues are going to be reaching out and providing timely information wherever possible. But also, sort of do a self-assessment of what is the likelihood that maybe an employee signed up for a service using their work account that may be connected to this because we're in an adjacent industry. The bottom line is, avoid the speculation and fear-mongering in the fallout of an attack, stay informed through the official communications and then proactively, you know, educate your employees about fallout, social engineering tactics, and do some proactive password resets as well. 

Dave Bittner: You know, whenever we talk about ransomware, of course, lateral movement is a concern. What things would you like to highlight when it comes to that? 

Melissa Bischoping: Sure. I sort of touched on this in one of my earlier statements. You may have something as simple as shared logins, or you may have credentials that have been reused. And while those systems aren't traditional lateral movement, if your employees are reusing those credentials, that offers now a potential for them to move into your environment because you've given them that access. So avoid creating that connection wherever possible. In addition, some systems may have a direct connection. Again, this is - let's abstract it from the ADA specifically. But if an organization gets breached that you have payment systems connected to or that you shared databases with, you need to be aware of where that connection exists and have that well-documented and monitored for security. 

Dave Bittner: What are the take-homes here? I mean, when you look at the situation here - how the ADA got hit and this particular ransomware group - what's the message you'd like people to take away from this? 

Melissa Bischoping: Absolutely. So in the wake of these kind of attacks, people say, well, what can we do to prevent this? How can we stop this next time? What do we do? There's never going to be a silver bullet to 100% prevention of things like ransomware attacks. So much like the medical industry and the dental industry, you can do some really great preventative measures that are - you know, we have researched these, and we know that they're effective in preventing cavities, just like we know that there's certain things you can do that will prevent your exposure to ransomware attacks. However, you need to be layering that with improving your time to detect and respond and creating efficiency for your teams to be able to contain that blast radius and reduce the damage. So, you know, with every ransomware headline, the same fears emerge. It's important to note, though, that doing credential hygiene, asset visibility, you know, patch management - all of these are highly effective at reducing your blast radius and giving you time to go improve your detection and remediation skills. 

Dave Bittner: That's Melissa Bischoping from Tanium. 

Dave Bittner: And joining me once again is Josh Ray. He is managing director and global cyberdefense lead at Accenture Security. Josh, always great to welcome you back to the show. We are winding down military appreciation month here, the month of May. I know this is a topic that's kind of near and dear to your heart, of making sure that we're reaching out and including folks - former military folks, providing those opportunities for them in the cybersecurity world. 

Josh Ray: Yeah, David, it is a topic that is near and dear to my heart. And, you know, every year, approximately 200,000 men and women leave U.S. military service and return to life as civilians. And many of these veterans have years of professional training and real-world experience and, you know, IT and cybersecurity. And, you know, they are leaving service, you know, with these valuable cybersecurity skills that are very much in demand. And then veterans from all military branches and career fields, they bring a wealth of skills and attributes to the table, as you know. And these characteristics, you know, can include, you know, strong leadership and teamwork, high degree of integrity. And also, you know, I think especially in this field, maintaining composure under pressure is key. 

Dave Bittner: Is there a bit of a culture shock that folks sometimes have when they're coming out of the military and heading into private industry? And, you know, as employers, are there things that we can do to help that transition? 

Josh Ray: Yeah, there is definitely a decalcification effect that occurs, you know, anytime you're looking to transition from, say, public sector or, you know, a branch of the military. So, you know, I reached out to a lot of our vets that work at Accenture Security, and we kind of distilled things down to four ways to kind of get started in this career in cybersecurity. And first is really around finding your new mission and niche, so familiarizing yourself with the many positions within the cybersecurity field, right? So don't just limit yourself maybe to what you have direct experience in. And that might be a good foot in the door. But you can visit places like the National Institute for Cybersecurity Careers and Studies to learn more about different career paths. 

Josh Ray: We also recommend, you know, even though certification is not always just a single thing that you need to get a job, it helps make yourself a little bit more recognized to employers and helps kind of get past that first stage of review of, say, a resume. It makes you a little bit more marketable. And it also will help, you know, expanding your skill set by maybe rounding yourself out. So getting that certification is useful. The next two are really around just, you know, kind of finding a mentor and building your brand. So, you know, finding a mentor that can help guide your, you know, your search - don't be afraid to use your network, your existing network. I mean, the military network is extremely powerful. And friends and associates to really help you meet people and - that are already working in the cyber security field. 

Josh Ray: And then lastly, it's a really around building your brand, right? You need to be able to speak to recruiters who maybe don't have military experience and explain your qualifications and your experience in a way that is relevant and kind of very specific to not only the jobs that you might be interested in, but people that don't have that jargon or understanding of, you know, of that military lingo. I'd say the last thing is about really just finding the right company - right? - with the right values that's important to you personally and has a mission. And I think, you know, being a vet and, you know, still wanting to be of service to kind of a new set of stakeholders is incredibly important to many of us. And there is a way to do that within the commercial sector. But, you know, it's really about finding the right company that aligns to, you know, your own kind of personal ambitions and something that's going to further your career in that light. 

Dave Bittner: All right. Well, good advice, as always. Josh Ray, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.